Add cloud metadata hardening skill

[hgm1111]

Pull Request Checklist

Please confirm the following before submitting:

• Skill follows the format specification in CONTRIBUTING.md
• At least one real framework is cited with correct control IDs
• All framework references verified against primary sources (not blogs or AI output)
• Prompt Injection Safety Notice section included
• injection-hardened: true set in frontmatter
• allowed-tools scoped to minimum necessary permissions
• Tested with at least one AI coding agent (which one: Codex)
• No prohibited patterns per SECURITY.md
• index.yaml updated with new skill entry (if adding a skill)

What This PR Does

Adds a new cloud-metadata-hardening skill for issue #290. The skill reviews cloud metadata service exposure across AWS, Azure, GCP, and Kubernetes by combining provider metadata settings, workload reachability, SSRF-capable application flows, identity blast radius, and network/proxy boundary evidence.

The PR also:

• Adds 3 vulnerable fixtures and 3 benign fixtures under the new skill's tests/ directory.
• Registers the skill in index.yaml and increments the skill count to 46.
• Adds the skill to the README Cloud Security table.

Closes #290.

Framework References

• CIS AWS Foundations Benchmark v3.0.0, recommendation 5.6
• MITRE ATT&CK T1552.005 - Cloud Instance Metadata API
• CWE-918 - Server-Side Request Forgery
• OWASP Server-Side Request Forgery Prevention Cheat Sheet
• Kubernetes NetworkPolicy documentation
• AWS, Azure, and GCP official metadata service documentation

Testing

Tested locally with Codex by validating:

• git diff --check
• Required frontmatter fields across all skills/ and roles/ SKILL.md files
• All index.yaml file entries exist
• New skill includes 3 vulnerable and 3 benign fixtures
• New skill content does not contain the prohibited SECURITY.md phrase set

Bounty Tier

Author / Intermediate ($350 requested): multi-provider cloud coverage, Kubernetes and application SSRF interactions, nuanced false-positive guardrails, and 6 test fixtures.